Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 19:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe
-
Size
454KB
-
MD5
860567e1d47173adfb2ede47bd9ebd36
-
SHA1
8b82b66ec7724c6921b8308793705320508b16c4
-
SHA256
086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783
-
SHA512
9aba77808cad8b9169a0b58583681609f035e125e48203e0cfdc679521917e76ffb1228a04fbce40f58eed6bc5b02fe9c6d3131c148738781680282075f5af84
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeP:q7Tc2NYHUrAwfMp3CDP
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/540-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-764-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-810-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-1153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-1211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-1305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-1315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2148 flrflxl.exe 3516 lfrlxxl.exe 388 dppvv.exe 4640 vjdvd.exe 4476 8026486.exe 3524 80200.exe 432 40202.exe 684 284864.exe 1552 0282604.exe 3920 nntnnb.exe 3304 rrrflfr.exe 2500 48404.exe 964 6286048.exe 3568 24004.exe 2700 rlrrrrr.exe 1444 6404826.exe 4864 hnhbtn.exe 628 hbbbhh.exe 2936 pjppp.exe 4436 222266.exe 1288 jvvpj.exe 1864 vpvjp.exe 1880 ttthtn.exe 912 s0086.exe 976 ntbnth.exe 464 flfrxrf.exe 2636 0002668.exe 3400 88808.exe 2272 xfrflff.exe 1076 fllfxrr.exe 4932 66642.exe 3924 jvpdj.exe 868 268682.exe 2216 xxxlxrf.exe 4708 5dvvd.exe 2528 xffrfxl.exe 4364 q88648.exe 1752 800248.exe 2324 nbthtb.exe 1980 644248.exe 1680 80408.exe 2248 2488044.exe 4508 806482.exe 2220 btnbnb.exe 1592 xffrxxl.exe 908 ttbntn.exe 456 lxxlfrf.exe 3448 206086.exe 716 vpjvd.exe 3536 082682.exe 224 htbnnb.exe 2152 fllxfff.exe 3116 640820.exe 4064 0808828.exe 4744 2048642.exe 3468 6062442.exe 3976 04428.exe 3512 5rxxflr.exe 436 40604.exe 4312 tnhbnb.exe 3588 thtbnb.exe 4140 tbthnh.exe 4092 vjdpv.exe 392 0266486.exe -
resource yara_rule behavioral2/memory/540-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-764-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-810-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-859-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-862-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c824286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8288884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 540 wrote to memory of 2148 540 086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe 83 PID 540 wrote to memory of 2148 540 086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe 83 PID 540 wrote to memory of 2148 540 086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe 83 PID 2148 wrote to memory of 3516 2148 flrflxl.exe 84 PID 2148 wrote to memory of 3516 2148 flrflxl.exe 84 PID 2148 wrote to memory of 3516 2148 flrflxl.exe 84 PID 3516 wrote to memory of 388 3516 lfrlxxl.exe 85 PID 3516 wrote to memory of 388 3516 lfrlxxl.exe 85 PID 3516 wrote to memory of 388 3516 lfrlxxl.exe 85 PID 388 wrote to memory of 4640 388 dppvv.exe 86 PID 388 wrote to memory of 4640 388 dppvv.exe 86 PID 388 wrote to memory of 4640 388 dppvv.exe 86 PID 4640 wrote to memory of 4476 4640 vjdvd.exe 87 PID 4640 wrote to memory of 4476 4640 vjdvd.exe 87 PID 4640 wrote to memory of 4476 4640 vjdvd.exe 87 PID 4476 wrote to memory of 3524 4476 8026486.exe 88 PID 4476 wrote to memory of 3524 4476 8026486.exe 88 PID 4476 wrote to memory of 3524 4476 8026486.exe 88 PID 3524 wrote to memory of 432 3524 80200.exe 89 PID 3524 wrote to memory of 432 3524 80200.exe 89 PID 3524 wrote to memory of 432 3524 80200.exe 89 PID 432 wrote to memory of 684 432 40202.exe 90 PID 432 wrote to memory of 684 432 40202.exe 90 PID 432 wrote to memory of 684 432 40202.exe 90 PID 684 wrote to memory of 1552 684 284864.exe 91 PID 684 wrote to memory of 1552 684 284864.exe 91 PID 684 wrote to memory of 1552 684 284864.exe 91 PID 1552 wrote to memory of 3920 1552 0282604.exe 92 PID 1552 wrote to memory of 3920 1552 0282604.exe 92 PID 1552 wrote to memory of 3920 1552 0282604.exe 92 PID 3920 wrote to memory of 3304 3920 nntnnb.exe 93 PID 3920 wrote to memory of 3304 3920 nntnnb.exe 93 PID 3920 wrote to memory of 3304 3920 nntnnb.exe 93 PID 3304 wrote to memory of 2500 3304 rrrflfr.exe 94 PID 3304 wrote to memory of 2500 3304 rrrflfr.exe 94 PID 3304 wrote to memory of 2500 3304 rrrflfr.exe 94 PID 2500 wrote to memory of 964 2500 48404.exe 95 PID 2500 wrote to memory of 964 2500 48404.exe 95 PID 2500 wrote to memory of 964 2500 48404.exe 95 PID 964 wrote to memory of 3568 964 6286048.exe 96 PID 964 wrote to memory of 3568 964 6286048.exe 96 PID 964 wrote to memory of 3568 964 6286048.exe 96 PID 3568 wrote to memory of 2700 3568 24004.exe 97 PID 3568 wrote to memory of 2700 3568 24004.exe 97 PID 3568 wrote to memory of 2700 3568 24004.exe 97 PID 2700 wrote to memory of 1444 2700 rlrrrrr.exe 98 PID 2700 wrote to memory of 1444 2700 rlrrrrr.exe 98 PID 2700 wrote to memory of 1444 2700 rlrrrrr.exe 98 PID 1444 wrote to memory of 4864 1444 6404826.exe 99 PID 1444 wrote to memory of 4864 1444 6404826.exe 99 PID 1444 wrote to memory of 4864 1444 6404826.exe 99 PID 4864 wrote to memory of 628 4864 hnhbtn.exe 100 PID 4864 wrote to memory of 628 4864 hnhbtn.exe 100 PID 4864 wrote to memory of 628 4864 hnhbtn.exe 100 PID 628 wrote to memory of 2936 628 hbbbhh.exe 101 PID 628 wrote to memory of 2936 628 hbbbhh.exe 101 PID 628 wrote to memory of 2936 628 hbbbhh.exe 101 PID 2936 wrote to memory of 4436 2936 pjppp.exe 102 PID 2936 wrote to memory of 4436 2936 pjppp.exe 102 PID 2936 wrote to memory of 4436 2936 pjppp.exe 102 PID 4436 wrote to memory of 1288 4436 222266.exe 103 PID 4436 wrote to memory of 1288 4436 222266.exe 103 PID 4436 wrote to memory of 1288 4436 222266.exe 103 PID 1288 wrote to memory of 1864 1288 jvvpj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe"C:\Users\Admin\AppData\Local\Temp\086260fd83d89a1bb1914ac053fb4557609fdfc9079912a91e917bd6e55cb783.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\flrflxl.exec:\flrflxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\lfrlxxl.exec:\lfrlxxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\dppvv.exec:\dppvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\vjdvd.exec:\vjdvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\8026486.exec:\8026486.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\80200.exec:\80200.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\40202.exec:\40202.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\284864.exec:\284864.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\0282604.exec:\0282604.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\nntnnb.exec:\nntnnb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\rrrflfr.exec:\rrrflfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\48404.exec:\48404.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\6286048.exec:\6286048.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\24004.exec:\24004.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\rlrrrrr.exec:\rlrrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\6404826.exec:\6404826.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\hnhbtn.exec:\hnhbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\hbbbhh.exec:\hbbbhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\pjppp.exec:\pjppp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\222266.exec:\222266.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\jvvpj.exec:\jvvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\vpvjp.exec:\vpvjp.exe23⤵
- Executes dropped EXE
PID:1864 -
\??\c:\ttthtn.exec:\ttthtn.exe24⤵
- Executes dropped EXE
PID:1880 -
\??\c:\s0086.exec:\s0086.exe25⤵
- Executes dropped EXE
PID:912 -
\??\c:\ntbnth.exec:\ntbnth.exe26⤵
- Executes dropped EXE
PID:976 -
\??\c:\flfrxrf.exec:\flfrxrf.exe27⤵
- Executes dropped EXE
PID:464 -
\??\c:\0002668.exec:\0002668.exe28⤵
- Executes dropped EXE
PID:2636 -
\??\c:\88808.exec:\88808.exe29⤵
- Executes dropped EXE
PID:3400 -
\??\c:\xfrflff.exec:\xfrflff.exe30⤵
- Executes dropped EXE
PID:2272 -
\??\c:\fllfxrr.exec:\fllfxrr.exe31⤵
- Executes dropped EXE
PID:1076 -
\??\c:\66642.exec:\66642.exe32⤵
- Executes dropped EXE
PID:4932 -
\??\c:\jvpdj.exec:\jvpdj.exe33⤵
- Executes dropped EXE
PID:3924 -
\??\c:\268682.exec:\268682.exe34⤵
- Executes dropped EXE
PID:868 -
\??\c:\xxxlxrf.exec:\xxxlxrf.exe35⤵
- Executes dropped EXE
PID:2216 -
\??\c:\5dvvd.exec:\5dvvd.exe36⤵
- Executes dropped EXE
PID:4708 -
\??\c:\xffrfxl.exec:\xffrfxl.exe37⤵
- Executes dropped EXE
PID:2528 -
\??\c:\q88648.exec:\q88648.exe38⤵
- Executes dropped EXE
PID:4364 -
\??\c:\800248.exec:\800248.exe39⤵
- Executes dropped EXE
PID:1752 -
\??\c:\nbthtb.exec:\nbthtb.exe40⤵
- Executes dropped EXE
PID:2324 -
\??\c:\644248.exec:\644248.exe41⤵
- Executes dropped EXE
PID:1980 -
\??\c:\80408.exec:\80408.exe42⤵
- Executes dropped EXE
PID:1680 -
\??\c:\2488044.exec:\2488044.exe43⤵
- Executes dropped EXE
PID:2248 -
\??\c:\806482.exec:\806482.exe44⤵
- Executes dropped EXE
PID:4508 -
\??\c:\btnbnb.exec:\btnbnb.exe45⤵
- Executes dropped EXE
PID:2220 -
\??\c:\xffrxxl.exec:\xffrxxl.exe46⤵
- Executes dropped EXE
PID:1592 -
\??\c:\ttbntn.exec:\ttbntn.exe47⤵
- Executes dropped EXE
PID:908 -
\??\c:\lxxlfrf.exec:\lxxlfrf.exe48⤵
- Executes dropped EXE
PID:456 -
\??\c:\206086.exec:\206086.exe49⤵
- Executes dropped EXE
PID:3448 -
\??\c:\vpjvd.exec:\vpjvd.exe50⤵
- Executes dropped EXE
PID:716 -
\??\c:\082682.exec:\082682.exe51⤵
- Executes dropped EXE
PID:3536 -
\??\c:\htbnnb.exec:\htbnnb.exe52⤵
- Executes dropped EXE
PID:224 -
\??\c:\fllxfff.exec:\fllxfff.exe53⤵
- Executes dropped EXE
PID:2152 -
\??\c:\640820.exec:\640820.exe54⤵
- Executes dropped EXE
PID:3116 -
\??\c:\8640260.exec:\8640260.exe55⤵PID:3876
-
\??\c:\0808828.exec:\0808828.exe56⤵
- Executes dropped EXE
PID:4064 -
\??\c:\2048642.exec:\2048642.exe57⤵
- Executes dropped EXE
PID:4744 -
\??\c:\6062442.exec:\6062442.exe58⤵
- Executes dropped EXE
PID:3468 -
\??\c:\04428.exec:\04428.exe59⤵
- Executes dropped EXE
PID:3976 -
\??\c:\5rxxflr.exec:\5rxxflr.exe60⤵
- Executes dropped EXE
PID:3512 -
\??\c:\40604.exec:\40604.exe61⤵
- Executes dropped EXE
PID:436 -
\??\c:\tnhbnb.exec:\tnhbnb.exe62⤵
- Executes dropped EXE
PID:4312 -
\??\c:\thtbnb.exec:\thtbnb.exe63⤵
- Executes dropped EXE
PID:3588 -
\??\c:\tbthnh.exec:\tbthnh.exe64⤵
- Executes dropped EXE
PID:4140 -
\??\c:\vjdpv.exec:\vjdpv.exe65⤵
- Executes dropped EXE
PID:4092 -
\??\c:\0266486.exec:\0266486.exe66⤵
- Executes dropped EXE
PID:392 -
\??\c:\lrfrfxl.exec:\lrfrfxl.exe67⤵PID:532
-
\??\c:\644204.exec:\644204.exe68⤵PID:1736
-
\??\c:\2008606.exec:\2008606.exe69⤵PID:4552
-
\??\c:\244204.exec:\244204.exe70⤵PID:2880
-
\??\c:\djddp.exec:\djddp.exe71⤵
- System Location Discovery: System Language Discovery
PID:1160 -
\??\c:\nhhtth.exec:\nhhtth.exe72⤵PID:2500
-
\??\c:\2000066.exec:\2000066.exe73⤵PID:3424
-
\??\c:\s8464.exec:\s8464.exe74⤵PID:4968
-
\??\c:\644826.exec:\644826.exe75⤵PID:412
-
\??\c:\2228004.exec:\2228004.exe76⤵PID:640
-
\??\c:\6442086.exec:\6442086.exe77⤵PID:5116
-
\??\c:\00420.exec:\00420.exe78⤵PID:4616
-
\??\c:\2082442.exec:\2082442.exe79⤵PID:2828
-
\??\c:\086420.exec:\086420.exe80⤵PID:744
-
\??\c:\9ddpj.exec:\9ddpj.exe81⤵PID:3616
-
\??\c:\dppdj.exec:\dppdj.exe82⤵PID:2244
-
\??\c:\7hthtn.exec:\7hthtn.exe83⤵PID:4296
-
\??\c:\rflrfxl.exec:\rflrfxl.exe84⤵PID:3120
-
\??\c:\226680.exec:\226680.exe85⤵PID:3432
-
\??\c:\w44264.exec:\w44264.exe86⤵PID:912
-
\??\c:\888488.exec:\888488.exe87⤵PID:1884
-
\??\c:\202642.exec:\202642.exe88⤵PID:3596
-
\??\c:\24444.exec:\24444.exe89⤵PID:2548
-
\??\c:\pdpjp.exec:\pdpjp.exe90⤵PID:4484
-
\??\c:\vvpdp.exec:\vvpdp.exe91⤵PID:2748
-
\??\c:\djdpj.exec:\djdpj.exe92⤵PID:4932
-
\??\c:\rxxllff.exec:\rxxllff.exe93⤵PID:3924
-
\??\c:\82608.exec:\82608.exe94⤵PID:832
-
\??\c:\244608.exec:\244608.exe95⤵PID:1832
-
\??\c:\jvpdj.exec:\jvpdj.exe96⤵PID:4012
-
\??\c:\488240.exec:\488240.exe97⤵PID:3364
-
\??\c:\0002042.exec:\0002042.exe98⤵PID:1572
-
\??\c:\e40684.exec:\e40684.exe99⤵PID:2668
-
\??\c:\82046.exec:\82046.exe100⤵PID:1520
-
\??\c:\jjjvd.exec:\jjjvd.exe101⤵PID:2740
-
\??\c:\24424.exec:\24424.exe102⤵PID:2768
-
\??\c:\htbtnn.exec:\htbtnn.exe103⤵PID:1016
-
\??\c:\nhnbbb.exec:\nhnbbb.exe104⤵PID:1592
-
\??\c:\bhhthb.exec:\bhhthb.exe105⤵PID:516
-
\??\c:\frlxfxl.exec:\frlxfxl.exe106⤵PID:1628
-
\??\c:\jvvpd.exec:\jvvpd.exe107⤵PID:4620
-
\??\c:\4664664.exec:\4664664.exe108⤵PID:3448
-
\??\c:\lxlxlfr.exec:\lxlxlfr.exe109⤵PID:1452
-
\??\c:\jvvjd.exec:\jvvjd.exe110⤵PID:2692
-
\??\c:\662028.exec:\662028.exe111⤵PID:224
-
\??\c:\btnbth.exec:\btnbth.exe112⤵PID:4784
-
\??\c:\xffrxrf.exec:\xffrxrf.exe113⤵PID:4260
-
\??\c:\42866.exec:\42866.exe114⤵PID:4276
-
\??\c:\80646.exec:\80646.exe115⤵PID:4836
-
\??\c:\tbhbtt.exec:\tbhbtt.exe116⤵PID:1332
-
\??\c:\bbbbtn.exec:\bbbbtn.exe117⤵PID:3444
-
\??\c:\o020482.exec:\o020482.exe118⤵PID:2148
-
\??\c:\860082.exec:\860082.exe119⤵PID:2480
-
\??\c:\04020.exec:\04020.exe120⤵PID:1636
-
\??\c:\u408660.exec:\u408660.exe121⤵PID:388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-